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(54) System and method for providing anonymous personalized browsing in a network 



(57) For use with a network having server sites ca- 
pable of being browsed by users based on identifiers 
received into the server sites and personal to the users, 
alternative proxy systems for providing substitute iden- 
tifiers to the server sites that allow the users to browse 
the server sites anonymously via the proxy system. A 
central proxy system includes computer-executable 
routines that process site-specific substitute identifiers 
constructed from data specific to the users, that trans- 
mits the substitute identifiers to the server sites, that re- 



transmits browsing commands received from the users 
to the server sites, and that removes portions of the 
browsing commands that would identify the users to the 
server sites. The foregoing functionality is perfonrned 
consistently by the central proxy system during subse- 
quent visits to a given server site as the sarrte site spe- 
cific substitute identifiers are reused. Consisterit use of 
the site specific substitute tdsntiners enables the server 
site to recognize a retuming user and. possibly, provkJe 
personalized service. >-'^:'^:^'^'s^i^i^c'iz 
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Description 

TECHNICAL FIELD OF THE INVENTION 

The present invention is directed, in general, to net- 
works and. more specifically, to a system and method 
that allows a user to browse personalized server re- 
sources on a network anonymously. 

BACKGROUND OF THE INVENTION 

The Internet is a well-known collection of networks 
{e.g., public and private data communication and multi- 
media networks) that work together (cooperate) using 
common protocols to form a world wide network of net- 
works. 

In recent years, the availability of more efficient, re- 
liable and cost-effective computers and networking 
tools have allowed many companies and individuals 
(collecirvely, •users") to become involved In an ever 
growing electronic marketplace. The immeasurable 
gains in technology experienced by the computer indus- 
try overall have allowed these users to rely on commer- 
cially available computers, such as personal computers 
("PCS'), to meet their information processing and com- 
munication needs. To that end. PC manufacturers equip 
most PCS with an interface that may be used for com- 
munication over networks, such as the Internet. 

The Internet continues to increase its position as an 
integral place for businesses that offers information and 
services to potential customers. Popular examples of 
such businesses are news providers {e.g., www.cnn. 
com (the Cable News Network), www.nytimes.com (the 
New York Times), www.wsj.com (the Wall Street Jour- 
nal), www.ft.com (Financial Times Magazine), vmw. 
businessweek.com (Business Week Magazine)); car 
manufacturers {e.g., www. ford. com/us (the Ford Motor 
Company), www.gm.com (the General Motor Compa- 
ny), www.toyota.com (the Toyota Motor Company)); 
book stores {e.g., wvvw.ama20n.com (Amazon.com 
books)); software providers {e.g., wvvw.microsoft.com 
(the Microsoft software company)) and many more. 

Most often, such a business sets up a home page 
on the World Wide Web (a 'web-site,' the World wide 
Web is a logical overlay of the Internet). The web-site 
constitutes an electronically -addressable location that 
may be used for promoting, advertising and conducting 
business. Potential electronic customers use web- 
browsers {e.g., NETSCAPE NAVIGATOR®, MICRO- 
SOFT EXPLORER®, etc.) to access the information of- 
fered on those web-sites. 

An increasing number of web sites offer personal- 
ized sen/ces that may include 'personalized web pag- 
es' customized to a user's interests, with hyper-links (a 
reference or link from some point in one hypertext doc- 
ument to some point in another document or another 
place in the same document -- often displayed in some 
distinguishing way {e.g., in a different color, font or 



style)) and displayed messages tailored according to 
the user's preferences. Such preferences can be ascer- 
tained by having a user establish an account with that 
web-site. This allows the web-site to store information 

5 about the user's previous visits, either by tracking the 
hyper-links the user followed or through explicit dialogs 
with the user For example, the Wall Street Journal pro- 
vides a 'personalized journal' to each user, where the 
sequence and selection of sections is customized. In or- 

10 der to open an account, the user typically has to com- 
plete a form electronically, providing a user name, a 
password, an electronic-mail ('e-mail') address, etc. 
The latter is often used by the web-site to send back 
information not provided on the wieb-site itself to the us- 

'5 er 

Given the inherent lack of privacy of electronic com- 
municaton over the Intemst generally, and. particularly, 
the World Wide Web, it has long been felt that a system 
that could ensure private electronic communication 

20 would be highly advantageous. As an example of the 
problem, consider the plight of a customer that would 
like to browse the World Wide Web in a safe and private 
(anonymous) manner, visiting sites that provide person- 
alized service. The customer would like to establish ac- 

25 counts on web-sites without revealing his true identity, 
and without reusing the same user names, passwords, 
for multiple sites. Customers should refrain from reusing 
the same user names and passwords at multiple sites 
to avoid a security breach at one site to affect other sites; 

30 additionally, refraining from using such user names and 
passwords limits the ability of multiple sites from collud- 
ing to combine customer information and build dossiers 
on particular customers. 

Typically, the customer visits many of these web- 

3S sites, and inventing and remembering new user names 
and passwords for each web -site becomes tedious. 
Moreover, many of these web-sites require the custorp- 
er to include his e-mail address with hie user name and 
password -- by providing his e-mail address, the cus- 

40 tomer reveals his identity. *' ■ ir^jry^l 

In addition, there are commercial products aval tab la 
that allow web-sites to track their clients and yisrtiprs.'' 
Such tracking can be made even when no voluntary inr - 
formation is provided by the user and no form is filled 

45 out. Examples of such systems are 'Webreporter.' 
which is available from OPENMARKET, INC., and 
'SiteTrack." which is available from GROUP CORTEX, 
whose advertisement reads as follows: 

'Identify who is visiting your site. Record the actual 

50 number of people that visit. Find which links they fotjow 
and trace their complete path. Learn which site users 
came from and which site they depart to...' • 
These products are made possible because the hyper- 
text transport protocol ('HTTP-protocol'), on which the 

55 World Wide Web is largely based, allows specific infor- 
mation to flow back from the user to the web-site, this . 
can include for example, the user's e-mail address, the . 
last web-site he came from, and information about the [ 
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user's software and hosl-computer. Other pertinent user 
information may be sent by the web-siie to the user 
browser using what are commonly referred to as •cook- 
ies' (pieces of infomnation that web-sites may store at 
the user's browser). On subsequent visits to the web- s 
site, the user's browser sends back infomnation to the 
web-site without the user's knowledge. 

From the foregoing, it is apparent that what is need- 
ed in the art is a scheme that provides anonymous per- 
sonalized web browsing that satisfies two seemingly io 
conflicting objectives, namely, providing user privacy 
and user identification. 

SUMMARY OF THE INVENTION 

15 

To address the above-discussed deficiencies of the 
prior art. the present invention introduces a proxy sys- 
tem that performs two basic functions: (1) automatic 
substitution of user-specific identifiers such that server 
sites {e.g., web sites, junction points, intelligent portal 20 
devices, routers, network servers, etc.) within a network 
are prevented from determining the true identity of the 
user browsing (accessing, kxating, retrieving, reading, 
contacting, etc.) the sites; and (2) automatic stripping of 
any other information associated with browsing com- 2S 
mands that would allow the server sites to determine the 
true identity of the user browsing the server sites. An 
important aspect of the present inventbn is that the fore- 
going functions are performed consistently by the proxy 
system during subsequent visits to the server site (the 30 
same substitute identifiers are used on repeat visits to 
the server site; the server site also cannot distinguish 
between information supplied by the user and the proxy 
system, thus the proxy system is transparent to the serv- 
er site). The present invention therefore not only intro- ^ 
duces anonymous browsing, but also personalization 
based upon the consistent use of substitute identifiers. 

It should be noted that the term "true, ' as used here- 
in, means accurate, actual, authentic, at least partially 
correct, genuine, real or the like, the term 'or,' as used ^0 
herein, is inclusrve, meaning and/or; and the phrase "as- 
sociated with' and derivatives thereof, as used herein, 
may mean to include wrthin, interconnect with, contain, 
be contained within, connect to or with, couple to or with, 
be communicable with, juxtapose, cooperate with, inter- -^5 
leave, be a property of. be bound to or with, have, have 
a property of, or the like. 

As is described in greater detail hereinbetow, the 
principles of the present invention address the conflict- 
ing objectives of user privacy and user identiftcatbn de- 50 
scribed hereinabove by provkJing a proxy system, a pe- 
ripheral proxy system, and a method of provkjing sub- 
stitute kjentifiers to a sen/er site that albw users to 
browse the same anonymously via the proxy system. 

In one embodiment, the present invention provides, 55 
for use with a network having server sites capable of 
being browsed by users based on identifiers received 
into the server sites and personal to the users, a central 



proxy system for providing substitute identifiers to the 
server sites that allow the users to browse the server 
sites anonymously via the central proxy system. Accord- 
ing to various embodiments of the present invention, the 
substitute kJentifiers may be suitably constructed by the 
user site or a routine associated with the central site (ad- 
vantageous ways (functions) of constructing the substi- 
tute identifiers are described hereinafter). The exempla- 
ry central proxy system includes: (1) a computer-exe- 
cutable first routine that processes (receives, accepts, 
obtains, constructs, produces, etc.) site-specific substi- 
tute identifiers constructed from data specifc to the us- 
ers, (2) a computer-executable second routine that 
transmits the substitute identifiers to the server sites and 
thereafter retransmits browsing commands received 
from the users to the server sites and (3) a computer- 
executable third routine that renroves (and possibly sub- 
stitutes) portions of the browsing commands that wouW 
identify the users to the server sites. "Include" and de- 
rivatives thereof, as used herein, means inclusion with- 
out limitation. 

In one embodiment, the first of the Two above-enu- 
merated bask: functions ^s perfonmed externa! to the 
central pro.xy system, while in another it is performed, 
at least in pan, within the central proxy system. The cen- 
tral proxy system processes and forwards the substitute 
identifiers as appropriate and directly performs the sec- 
ond of the above-enumerated basic functions by strip- 
ping other information that would tend to identify the us- 
ers. An Internet Access Provider CISP"). such as NET- 
COM®, or a networking servce, such as AME RICA ON- 
LINE® or COMPUSERVE® can advantageously em- 
pby the central proxy system to provide anonynrroua re- 
transmission of browsing commands by their users.- . 

It is important to understand that subsequent use of 
the proxy system by a 'same' user to a "same" seryer 
site will cause the proxy system to construct (directly .or 
indirectly) and use the same (site-specific) substitute 
kJentifiers. Typcally, the proxy system furrctionsras a 
conduit communbating messages between Xhojij^QjJji 
and the server. Depending upon the embodjrrient^^A^^ 
proxy system may rennove or substitute some pbrtipn of ^ 
messages communicated by the user to the server to 
ensure anonymity. 

An alternative advantageous embodiment of the 
present invention may be provided in the form of a pe- 
ripheral proxy system designed for use with a network 
having a server site capable of being browsed by ijsers 
based on identifiers received into the server site and . 
personal to the users. The peripheral proxy system in-, 
eludes: (1 ) a computer-executable first routine that con-' ■ 
structs a partk:ular substitute identifier from data "re- 
ceived from a particular user and (2) a computer-exe- ' 
cutable second routine that transmits the particular sub- • 
stitute identifier to the central proxy system, the c'eritrai ' 
proxy system retransmitting the particular substitiite '■ 
kjentifier to the server site and thereafter retransmitting = 
browsing commands received from the particular user' 
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10 the server site. According to this embodiment, the first 
routine may be associated, at least in pan, with the user 
site, which distributes the basic functions of the present 
invention over multiple computer systems. 

The foregoing has outlined, rather broadly, pre- 
ferred and alternative features of the present invention 
so that those skilled in the art may better understand the 
detailed description of the invention that follows. Addi- 
tional features of the invention will be described herein- 
after that form the subject of the claims of the invention. 
Those skilled in the art should appreciate that they can 
readily use the disclosed conception and specific em- 
bodiment as a basis for designing or modifying other 
structures for carrying out the same purposes of the 
present invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present 
invention, reference is now made to the following de- 
scriptions taken in conjunction with the accompanying 
drawings, wherein like numbers designate like objects, 
and in which: 

FIGURE 1 illustrates a high-level block diagram of 
an exemplary distributed nelv.xjrk with which the 
principles of the present invention may be suitably 
used to provide either a central or a peripheral proxy 
system tor allowing users to provide substitute iden- 
tifiers to server sites of a network to browse anon- 
ymously; 

FIGURE 2 illustrates a bkxk diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 showing a central proxy system that includes 
each of a user site, a central proxy system and a 
plurality of illustrative server sites according to the 
principles of the present invention; 
FIGURE 3 illustrates an exernplary full screen win- 
dow of a proxy system according to the principles 
of the present invention; 

FIGURE 4 illustrates an exemplary full screen win- 
dow of an interface of a particular sen/er site ac- 
cording to the principles of the present invention; 
FIGURE 5 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of FIG- 
URE 1 showing a peripheral proxy system that in- 
cludes each of a user site, a central proxy system 
and a plurality of illustrative server site according to 
the principles of the present inventran; and 
FIGURE 6 illustrates a block diagram of an exem- 
plary sub-network of the distributed network of (FIG- 
URE 1 including each of a user site, a central proxy 
system and a plurality of illustrative server sites ac- 
cording to an exemplary marker proxy embodiment 
of the present invention. 



DETAILED DESCRIPTION 

Referring initially to FIGURE 1 . illustrated is a high- 
level block diagram of an exemplary distributed network 

s (generally designated 100) with which the principles of 
the present invention may be suitably used to provide 
either a centra) or a peripheral proxy system. Distributed 
network 100 illustratively includes a plurality of compu- 
ter sites 105 to 110 that are illustratively associated by 

TO Internet 115. Internet 115 includes the World Wide Web. 
which is not a network itself, but rather an 'abstraction' 
maintained on top of Internet 115 by a combination of 
browsers, server sites, HTML pages and the like. 

According to the illustrated embodiment, either 

^5 proxy system provides substitute identifiers to one or 
more of a plurality of server sites 110 of network 100. 
The substitute kjentrfiers allow user sites (and, hence, 
users (not shown)) to browse the server sites anony- 
mously via the proxy system. Consistent use of the 

20 same (site -specific) substitute identifiers at a particular 
server site personalizes browsing. For purposes of illus- 
tratkjn, site 105a is assumed throughout this document 
to be a user site, site ll0a is assumed to be a central 
proxy site, and site llOg is assumed to be a server site. 

25 Those of skill in the pertinent art will understand that 
FIGURE 1 is illustrative only, in other configuratkjns. any 
of sites 105 to 110 may be a user, a central proxy or a 
server site, or a combination of at least two of the same, 
"Sen/er site.' as the term is used herein, is construed 

30 broadly, and may include any site capable of being 
browsed. 

Although the illustrated embodiment is suitably im- 
plemented for and used over Internet 1 1 5, the principles 
and broad scope of the present invention may be asso- 

35 ciated with any appropriately arranged computer, com- 
munications, multimedia or other network, whether 
wired or wireless, that has server sites capable of being 
browsed by users based on kjentitiers received into the 
server sites and that are personal to the users. Further, 

40 though the principles of the present invention are illus- .. 
trated using a single user site 105a, a single central j 
proxy site 110a and a single server site llOg, alternate 
embodiments within the scope of the same may include 
a plurality of user, central proxy or server sites. 

Exemplary network 1 00 is assumed to include a plu- 
rality of insecure communication channels that operate 
to intercouple ones of the various sites 105 to 110 of 
network 100. The concept of communicatcn channels 
is known and albws insecure communication of infor- 

so mation arrrang ones of the intercoupled sites (the Inter- 
net emptoys conventional communication protocols that 
are also known), A distributed network operating system 
executes on at least some of sites 105, 110 and noay 
manage the insecure communication of information 

55 therebetween. Distributed network operating systems ' 
are also known. 

According to exemplary central proxy system 110a 
of the present invention, which is discussed in detail with * 
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reference to FIGURE 2. substitute identifiers may be 
suitably indirectly provided by central proxy system 
1 10a to server site 1iOg (recall that substitute identifiers 
allow user site 105a to browse sen/er site 11 Og anony- 
mously). One or more site-specific substitute identifiers s 
are suitably provided or constructed from data specific 
to user 1 05a either by user 1 05a or central proxy system 
11 Oa. Central proxy system 1 lOa includes a plurality of 
executable routines - a first routine processes site-spe- 
cific substitute identifiers constructed from data specific 
to user I05a (site-specific substitute identifiers may be 
suitably constructed by a central proxy site 110a, such 
as by a routine associated with central proxy system 
1 10a): a second routine transmits the substitute identi- 
fiers to server site llOg (possibly via a plurality of inter- ^5 
mediate user and server sites 105, 110) and thereafter 
retransmits browsing commands received from user site 
I05a to server site 1lOg; and a third routine removes 
(and possibly substitutes) portions of the browsing com- 
mands that would identify user site I05a to server site 20 
11 Og (and the plurality of intermediate user and server 
sites 105, 110). The term "routine," as used herein, is 
construed broadly to not only include conventional 
meanings such as program, procedure, object, task, 
subroutine, function, algorithm, instruction set and the 25 
like, but also sequences of instructions, as well as func- 
tionally equivalent firmware and hardware implementa- 
tions. 

Alternatively, according to an exemplary peripheral 
proxy system (generally designated 1 20) of the present ^0 
inventkan, yvhich is discussed in detail with reference to 
FIGURE 5, that is designed for use with network 100 
again having a server site llOg capable of being 
browsed by a user site 105a based on substitute iden- 
tifiers received into server site llOg and that are per- -35 
sonal to user site 1 05a. Exemplary peripheral proxy sys- 
tem 120 includes first and second executable routines. 
The first routine, which may advantageously reside in 
user site 105a or, altematively. in central proxy system 
nOa, constructs a particular substitute identifier from "^o 
data partk:ular to user site 105a. The second routine, 
which may also advantageously reskje in user site 1 05a 
or, partially, in user site I05a and central proxy system 
1 1 0a, transmits the particular substitute identifier to cen- 
tral proxy system 110a. Central proxy system 110a then ^ 
retransmits the particular substitute identifier to server 
site I10g and thereafter communicates (e.p., transmits, 
receives, etc.) information (e.g., browsing commands, 
data, etc.) between user site 105a to server site llOg. 

According to the illustrated embodiment, peripheral 50 
proxy system 1 20 differs from central proxy system 1 1 0a 
by the location of execution of the first and second rou- 
tines. In the illustrated central proxy embodiment, all 
routines are executed by central proxy system 110a. 
which means that all users must send user specific in- 5S 
fonnation to central proxy system 110a. In the illustrated 
peripheral proxy system 120, the first and second rou- 
tines may be executed in a proxy subsystem associated 



with user site 105a. In one advantageous embodiment, 
user system lOSa's user specific inlormatton (e.g., user 
identification, passwords, e-mail addresses, telephone 
numbers, credit card numbers, postal address, etc.) re- 
main local, which will typically be more secure than cen- 
tral proxy system 110a. 

As set forth hereinabove, an ISP. such as NET- 
COM®, or a networking service, such as AMERICA ON- 
LINE® or COMPUSERVE®, can advantageously em- 
pby either exemplary proxy system (central or periph- 
eral) to provide anonymous communication (transmis- 
sbn. reception, retransmission, etc) of browsing (e.g., 
accessing. selectk3n. reading, etc.) commands between 
user sites and server sites. 

An important aspect of the above-identifiBd embod- 
iments is the use of site-specific substitute identifiers to 
eliminate the need for a user to have to 'invenf a new 
user name and password for each server site which re- 
quires the establishment of an account (e.g., the NEW 
YORK TIMES, the WALL STREET JOURNAL, the 
NEWSPAGE® and ESPN® sites). The illustrated em- 
bodiment generates secure substitute identifiers (e.g., 
alias user names, passwords, e-mail addresses, postal 
addresses, credit card numbers, etc.) that are distinct 
and secure for the user. The user provides one or more 
character strings (which may be random) once, which 
may advantageously be at the beginning of a proxy sys- 
tem session. The proxy system uses the same to gen- 
erate one or more secure site-specific substitute identi- 
fiers for the user -- thereby freeing the user from the bur- 
den of inventing new and unique identifiers for each 
server site. Moreover, the user no longer has to type 
such secure identifiers every time the user returns Xo a 
particular server site requiring an account; instead the 
proxy system provides the appropriate secure identifiers 
automatically. In an advantageous embodiment to be 
described, the proxy system filters other identifying in- 
formation (e.g., HTTP headers, etc.) sent by user srte 
1 05a while browsing server sites. It is important to keep 
in mind that sen/er sites cannot typically distinguish be- 
tween information supplied by proxy system .11 6a and ^ 
informatran supplied by user site 105a central proxy 
system 1 1 Oa being transparent to carver sites. 

In one embodiment, the substitute identifiers are 
transmitted on demand from servers, without any inter- 
vention from the user. This process automates the re- 
sponse to a 'basic authentication request." which is a 
common procedure used by servers to identify users on 
the WorkJ Wide Web. In this way, the user is not bur- 
dened by this activity. 

According to the illustrated embodiment, to produce 
substitute identifiers the proxy system nnay suitably 
maintain secret information (secret to at least one serv- 
er-site) in the form of user definable character strings. 
These character strings may be user defined and nr^y 
bo maintained in some conventonal nnannor, such as 
storing the same to memory associated with the proxy 
system, or, advantageously, a functbn (described here; 
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inafter) may be used lo produce the substitute identifi- 
ers, at least in pan, in association with the secret infor- 
mation. According to one approach, the proxy system 
maintains a conventional data structure to nnaintain the 
same, such as a database, data repository, an array, 
etc., or even an alias table, that may be used to map 
user information to their substitute, or alias, identrfiers. 

According to one advantageous embodiment, the 
user delivers Its own secret (user definable character 
string) at the beginning of each session, which Is used 
by the proxy system to generate, directly or indirectly, 
the substitute identifiers for the session. This option has 
the advantage that a user has the flexibility to choose 
different proxies at different times and there is no per- 
manent secret informatbn stored on the proxy system. 
In another related embodiment, the data comprises at 
least two secret user definable character strings, where- 
in the first routine processes substitute identifiers con- 
structed in part from the at least two secret user defin- 
able character strings. Of course, alternate suitable ap- 
proaches may be used to accomplish the purpose of 
providing anonymous personalized web browsing ac- 
cording lo the present invention. 

Turning now to FIGURE 2, illustrated is a block di- 
agram of an exemplary sub-network (generally desig- 
nated 200) of distributed network 100, wherein sub-net- 
work 200 includes user site 105a, central proxy system 
1 1 Oa and server site 1 1 0g (shown among a pi urality of 
other illustrative server sites 11 0 of Internet 1 1 5) accord- 
ing to the principles of the present invention. 

For purposes of illustration, assume that user site 
1 05a issues a command to access server site llOg (the 
NEW YORK TRIBUNE web-site ('NYT")). Such access 
would be via central proxy system (server site) 110a, 
which ensures that user specific data concerning user 
site 105a is not communicated over the remainder of 
Internet 115- there may be HTTP header fields, for ex- 
ample, that include data about user site 105a that cen- 
tral proxy system 110a filters. 

Exemplary central proxy system 110a advanta- 
geously executes on a server site that Is not associable 
with user srte 105a by other sites over Internet 115. Ac- 
cording to an advantageous embodiment, central proxy 
system 110a may be suitably distant, both physically 
and logically, from user site 105a - user site 105a does 
not access server-sites directly because the server- 
sites can determine both physically and logically the In- 
ternet Protocol ('IP') " address of the machine that 
made the request. 

According to the exemplary embodiment, if user site 
1 0Sa's command to access NYT 1 1 Og is user site 1 0Sa's 
first request of the current session, central proxy system 
110a will recognize the same, and display its own 
HTML-document, possibly on user site lOSa's browser 

Turning momentarily to FIGURE 3, illustrated is an 
exemplary full screen window of a conventional browser 
300 ('NETSCAPE®") displaying an inlaid interface 305 
(•JANUSSM-) of centra! proxy system 1 1 0a according to 



the principles of the present invention. Exemplary inter- 
face 305 prompts a user of site I05a to enter user de- 
finable character strings, which according to the illus- 
trated embodiment includes identification ("ID") data 

5 and secret ("S") data supplied by the user. Each user 
Inttialty supplies a user ID {e.g., e-nnail address) and a 
user S to allow one or more substitute identifiers to be 
chosen or constructed (site-specific substitute identifi- 
ers are suitably constructed from data specific to user 

10 i05a and a particular server site which user 105a in- 
tends to browse). Alternatively, other or further data sup- 
plied by the user may be appropriate in some applica- 
tions (e.g.. credit card number, post office address, han- 
dle, etc). 

IS According to the advantageous embodiment, sub- 
stitute identifiers may be constructed (generated) using 
a suitable function that includes the features of anonym- 
ity, consistency, collision resistance and uniqueness, 
protection from creation of dossiers, and single secret 

20 and acceptability. Concerning anonymity, the identity of 
the user should be kept secret; that is, a server site, or 
a coalition of sites, cannot determine the true identity of 
the user from its substitute identification. Concerning 
consistency, for each sen/er-site, each user should be 

25 provided with some substitute identifiers allowing the 
server site to recognize the user given the same, there- 
by enabling the sen/er site to personalize the user's ac- 
cess and the user can thus be 'registered' at the sen/er 
site. 

30 With respect to collision resistance and unique- 
ness, given a user's identity and a server site, a third 
party should not find a different user identity which re- 
sults in the same alias (impersonation) for that server 
site. As to protection from creatksn of dossiers, the user 

3S is likely to be assigned a distinct alias (substitute iden- 
tifier) for distinct sen/er sites, so that a coalitksn of sites 
is unable to learn a user's habits and build a user profile 
(dossier) based on the set of sites accessed by the user. 
Lastly, single secret (user definable character string) 

^ and accepiabilrty provides, given the user's identity and 
a single secret, automatic generation of sectjre, distinct 
aliases (substitute identifier) as needed for each seryef-; 
site, transparent to the user - from the user's petspec-. 
tive, the user definable character string is equivalent to 
a universal password for a collection of server-sites. 

According to this embodiment, a user ID is 'corrupt' 
(not secret) if an adversary (one or more server sites 
desirous of identifying the user), E, has been able to 
read the user's secret. S. Alternatively, a user ID is 'par- 

so tially opened' (not fully secure) with respect to a partic- 
ular sen/er site, w, if Ehas been able to read the alias 
password; a user ID is 'opened' (not secure) with re- 
spect to w, if it is partially opened and Ehas been able 
to relate the alias password together with the alias user 

55 name to the user ID. Assuming that the function, T(), is 
defined as follows. T^user ID. web-site ("v/), S) = fsub- 
stitute username. passwords;, hence, T(id, w,S) = (Uw, 
Pw): and Tu(id,w,S) = l/wand Tp(id,w,S) = Pw. 
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Tu (id, S) = Uw = h(enc(k,id, ffs^^w))) 

and 

Tp(id,w,S) = Pw= h(9nc(k,id, HSg''^))). 

wherein 

i(i denotes user site lOSa's ID (e.g., e-mail 

address); 

IV denotes sen/er site llOg's domain 

name; 

// denotes the logical function of concate- 

nation; 

S denotes A/ZSyz/s^, a user site 105a defin- 

able character string; 

xor denotes the Boolean function of exclu- 

sive or, 

f(k,x) denotes a suitably arranged function for 

generating pseudo-random values, and 
may be selected from a group of func- 
tions, such as des(k,h(x),x): 

enc(k,x,r) denotes r//(f(kj)xor x); 

h() denotes a col I is ion -resistant hash func- 

tion, such as MD5; and 

des(k,i,x) denotes DES encryption in cipher block 
chaining ('CBC") mode, which are 
known, of information x using key /c and 
an Initialization vector /. 

Both Tu() and TpQ may suitably truncate the result of 
the hashing function, h(), to fit the longest allowed user 
name or password for the particular server site. 

Relating this function, TQ, to the above-identified 
and described features yields the following: 

1. E can only guess at the identity, ID. of a user 
which is only partially opened and unconrupted. 

2. T() is a deterministic function and E can only 
guess at the alias-password of a user which is un- 
opened and uncorrupted, 

3. Given wand an uncorrupted and unopened user 
ID, E can only guess at the ID and S. 

4. For an uncorrupted user ID and w, T(id,w,S) does 
not give to E information about T(id,w',S) for any w' 
not equal to w. 

5. The range of Tjf/d, w,S) is such that it is accepted 
by server sites as a valid usemame and password 
- implying a limited length string of printable char- 
acters. 

Those skilled in the pertinent art will understand that al- 
ternate suitable functions may replace or be used in as- 
sociation with the foregoing according to the principles 
of the present invention. 

Use of the foregoing exemplary substitute identifier 



constructing function, and for thai matter, any other suit- 
ably arranged function for constructing substitute iden- 
tifiers according to the present invention, operates to 
foster the above -identified features of anonymyzed and 
s personalized browsing. The present invention provides 
the ability to anonymously visit a server site a first time 
via site-specific substitute identifiers, to interact with the 
server site as a function thereof, and to re-visit the send- 
er site on subsequent occasions using the same site- 
^0 specific substitute identifiers, interacting with the server 
site as a return customer - possibly receiving person- 
alized attention - as a function of the recognized sub- 
stitute identifiers. Simply stated, the substitute identifi- 
ers are constructed consistently and in advantageous 
'5 embodiments in a site-specific manner. 

In one embodiment of the present inventbn, the 
substitute identifiers include site-specific substitute user 
names and site-specific substitute user passwords. 
'Site-specific* means that the names and passwords 
20 vary from site to site, depending perhaps upon the ad- 
dress of each site. This may complicate the task of cre- 
ating a dossier relative to a given user. In a related em- 
bodiment, the first routine constructs site-specific sub- 
stitute e-mail addresses for user site 105a from the site- 
25 specific data. In an alternate advantageous embodi- 
ment, the first routine constructs the site-specific sub- 
stitute identifiers from addresses of the server sites - of 
course, site-specific information other than the address 
of the site may be used to construct the substitute iden- 
30 tifiers. 

If this is the first contact of the user with central 
proxy system 110a. then the user may suitably generate 
a user defined character string (secret) at randorn and 
store the same locally. In one advantageous embodi- 

3S ment. the first routine processes substitute identifiers 
that may be constructed by applying pseudo-randprn 
and hash functbns (o.g„ T() function sot forth herein- 
above) to the data received from user site 1 05a — those 
skilled in the art are familiar with the structure and op- ^ 
eration of pseudo-random and hash functions aridiKeir 
utility. The important aspect of this and related oirBSd^^^ 
iments is that the present invention is adapted to' take 
advantage of current and later<Jiscovered functions to 
enhance anonymity and security. 

Alternatively if this is the first contact of a curi-ent 
session then the user may suitably enclose the stored 
user defined character string to central proxy system 
1 1 Da. Nonetheless, browser 300 sends Interface 305 to-, 
gether with a user's ID and other user definable charac- 

50 ter string to central proxy system 110a Central 'proxy 
system 110a receives this information and may use the 
same for the rest of the session. 

In one advantageous embodiment, the first routine 
receives or generates session tags that are added to the 

55 browsing commands, central proxy site 110a employing 
the session tags to associate the substitute kientifiere ' 
with each of the browsing comnwids the session ; 
tags, while not necessary to the present invention, prb-V.: 
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vide one manner that allows user sites lOSa to supply 
their data only once, usually at the beginning of each 
session. In a related advantageous Gmbodimeni, cen- 
tral proxy site 110a includes a data store thai is capable 
of containing session information specific to user sites 
105a and accessible by server sites llOg. 

In one advantageous embodiment, the second rou- 
tine described above, which may be local to the central 
proxy system 110a. transmits the substitute identifiers 
to server site 11 Og. In a further advantageous embodi- 
ment, the second routine transmits the substitute iden- 
tifiers to server site 1 1 0g based on alphanumeric codes 
supplied in fields of web-pages 305 by the users. The 
alphanumeric codes prompt the second routine as to 
how and where to locate the substitute identifiers, re- 
moving the users from actually having to provide the 
substitute identifiers directly. Of course, the alphanu- 
meric codes may be supplied in a different form, in a 
related, more specific embodiment, the users manually 
place the alphanumeric codes in the fields of web-pages 
305. Of course, the present invention encompasses in- 
telligent parsing of the fields of web pages 305 to deter- 
mine automatically how and where the alphanumeric 
codes should be located. Those skilled in the an are fa- 
miliar with the Intemet in general, the World Wide Web 
in particular and the way in which the structure of the 
World Wide Web promotes 'browsing/ The present in- 
vention finds apparent utility in conjunction with the In- 
temet and the World Wide Web. however, those skilled 
in the art will readily understand that the present inven- 
tion has advantageous application outside of the Inter- 
net as well in any suitably arranged computer, commu- 
nications, multimedia or like network configuration. 

Nonetheless, after central proxy system 110a ob- 
tains the required information about the user, the above- 
described third routine removes portions of the browsing 
commands that would identify user site 105a to server 
site I10g, and fooArards user srte 105a's original request 
for access to NYT-site llOg (e.g,, using an HTTP get- 
request) ~ thereby selectively excluding from the re- 
quest header-fields or the like that may identify the user. 

If this is the user's first visit to NYT-site llOg, then 
it may suitably provide the user with an electronic form 
prompting, for example, for a user name, a password 
and an e-mail address in order to establish an account. 
Turning momentarily to FIGURE 4. illustrated is exem- 
plary full screen window of conventional NETSCAPE® 
browser 300 displaying an inlaid interface 400 ("THE 
NEW YORK TRIBUNE') of server site llOg according 
to the principles of the present invention. 

Now, instead of having to provide a unique user 
name and a secret password, the user may suitably pro- 
vide these fiekJs with simple escape strings (e.g., ■<uu- 
uu>'* and •<pppp>'). More specifically, the alphanumeric 
codes above-described may be suitably arranged into 
such escape sequences - those skilled in the art are 
familiar with escape sequences. These strings are rec- 
ognized by central proxy site 110a which uses user site 



lOSa's user name and secret (user definable character 
string) along with the domain-name of the NEW YORK 
TRIBUNE and computes substitute identifiers (e.g., ali- 
as user name. u3. and alias password, p3. in FIGURE 
s 2. etc.), such as by function T(ID. secret, domain-name). 
The site-specific substitute identifiers may be sent to a 
particular server site by central proxy system 1 1 0a using 
the same mechanism that the user would submit input 
to the particular server site. In other words, proxy system 
10 nOa receives information communications, such as 
browsing commands, from user site I05a intended for 
server site 110g. and retransmits the same to server site 
1 1 0g - central proxy system 1 1 0a functioning as a trans- 
parent conduit for anonymizing and, through consistent 
'5 generation of site-specific substitute identifiers, person- 
alizing server site browsing. 

On a subsequent visit to NYT-site llOg, which will 
require that user site 105a authenticate itself (response 
to the first get-request forwarded to NYT-site llOg by 
20 central proxy system 110a), central proxy system 110a 
may be suitably operative to automatically recompute 
u3 and p3 and reply by sending these values back to 
NYT-sfte 110g (re-sending the get-request). User site 
105a is thereby freed from the burden of remembering 
25 the user name and password of its NYT-site llOg ac- 
count. To summarize, the protocol, whch may be suita- 
bly executed without involving user site 105a, includes: 
(1 ) a step of NYT-site server 1 1 0g requesting an authen- 
ticat'on from central proxy site 110a by failing the first 
^ get request; (2) central proxy site 110a recomputing the 
substitute Identifiers (e.g., (alias-user name, alias-pass- 
word) = T(ID, secret, domain-name), or the like); (3) cen- 
tral proxy site 110a replying by re-sending the get with 
the same substitute identifiers. 
3S The substitute identifiers are consistent in the sense 
that the substitute identifiers are presented on subse- 
quent visits to the same server site by user 105a. Con- 
sistent substitute identifiers allow server sites to recog- 
nize retuming users and provide personalized service . 
"^0 to them. In one embodiment, the second routine traris-;.; 
mits the substitute identifiers on demand from sefyers;|- 
without any intervention from user 105a. This process^; 
automates the response to a 'basic authenticatran re-^ 
quest,' which is a common procedure used by servers 
^ to identify users 105a on the World Wide Web. In this 
way, user I05a is not burdened by this activity. In this 
embodiment, the second routine may have to re-trans- 
mit the original user request abng with the substitute 
identifier to the server. 
50 It shoukJ be noted that many servers require a valid 
^mail address for creating an account -- users canribt 
use their true e-mail address for this purpose since it 
uniquely identifies them. The proxy system of the 
present invention may suitably solve this problem by 
55 creating an alias e-mail address for user site 105a and ' 
store e-maW in an electronic mailbox. In one advanta- 
geous embodiment, central proxy system 110a includes 
a data store capable of containing e-mail destined for 
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the users, thereby preventing server sites from contact- 
ing users directly. Contrary to prior an anonymous re- 
mailers, the present embodiment is not required to rely 
on having to store any translation tables (which nriay be 
large and vulnerable) kom alias to true user identifiers 
in central proxy system 110a. This embodiment is inher- 
ently securer than prior art approaches as central proxy 
system llOa is not required to maintain and protect a 
translation table and cannot be forced to reveal the con- 
tents of any such table to a third party. 

In an alternate advantageous embodiment, central 
proxy system 1 05a further includes a data store capable 
of containing e-mailboxes for the users and specific to 
the server sites. According to this embodiment, each us- 
er has a mailbox for each site that has generated mail 
destined for the user. Rather than compromising secu- 
rity by allowing automatic remailing to the user, the 
present embodiment may store e-mail for explicit re- 
trieval by each user. 

For each sen/er. rt may be advantageous for users 
to have a separate e-mail box, possibly ideniified by us- 
er-substrtute identifiers. This approach may allow for 
suitable disposal of ©-mail messages received from the 
third-parties {ag., 'junk e-mail') as well as the option of 
selective disposal of e-mail messages. 

In one advantageous embodiment, each of e-mail- 
boxes has a key associated therewith, the key being a 
function of the data and an index number. The use of 
keys with e-mailboxes is known. In another advanta- 
geous embodiment, centra! proxy system 110a further 
comprises a computer-executable routine that, given 
the substitute identifiers, collects e-mail destined for the 
users and contained within a plurality of site-specific e- 
mailboxes. This embodiment may suitably employ a 
mail-collecting routine that automatically locates user 
site lOSa's various mailboxes and retrieves the mail 
therefrom once the user has supplied the appropriate 
data. 

According to one advantageous embodiment, cen- 
tral proxy system 110a includes functionality necessary 
to support electronic payment, the users employ elec- 
tronic payment information to engage in anonymous 
commerce with the server sites. To facilitate the same, 
central proxy system llOa may include a data store ca- 
pable of containing such electronic payment informa- 
tion. Further, substitute identifiers may be constructed, 
at least in part, using credit/debit card numbers, bank 
branch or account numbers, postal addresses, tele- 
phone numbers, tax identification numbers, social se- 
curity numbers or the like. Various methods for achiev- 
ing anonymous commerce are known. 

By way of further example, an ever increasing 
number of sites require a valid credit card number as 
part of establishing an account, so that such sites may 
charge the user for their services (e.g.. WALL STREET 
JOURNALCB), ESPN®, etc.). While the above-described 
proxy system provkJes substitute identifiers to free users 
from remembering these items and by provkiing a guard 



on (involuntary) data flowing to the web-site, it may not 
provide complete anonymity to a user who has provided 
a credit card number to a site. One solution, described 
briefly above, requires central proxy system llOa topro- 
s vide its own valid credit card number to the requesting 
site and then collect money from its users. If central 
proxy system 105a is incorporated into an Internet pro- 
vkJer. for example, such as AlVtERlCA ONLINE®, then 
this relationship may already exist. 

10 Alternatively, central proxy system llOa may be 
known and trusted by other sites, thereby allowing cen- 
tral proxy system 110a to generate an alias credit card 
number and expiration date, and then to authenticate 
this data and send it to a requesting site. The site can 

'5 then check that this number indeed originates from cen- 
tral proxy system 1 10a and hence accepts the same as 
valid, with the understanding that it can collect the mon- 
ey from central proxy system nOa. There no tonger is 
a need to send a 'real' credit card number between cen- 

20 tral proxy system nOa and the sites. 

It is important to realize that the various features 
and aspects of the embodiments above-described may 
also be suitably implemented in accordance with the pe-. 
ripheral proxy system described with reference to FIG- 

25 URE 1. More particularly, turning momentarily to FIG- 
URE 5. there is illustrated a block diagram of an exem- 
plary sub-network (generally designated 500) of the dis- 
tributed networ1< of FIGURE 1 showing a peripheral 
proxy system 120 that includes each of user site 105a. 

30 central proxy system 110a and NYT-site llOg (shown 
among a plurality of other illustrative sen/er sites 110 of 
Internet 115) according to the principles of the present 
invention. 

Peripheral proxy system 1 20, as set forth above, in- 

55 eludes first and second executable routines. The first 
routine, which advantageously resides in user site 105a, 
constructs substitute identifiers from data particular. to 
user site 105a. The second routine, which also illustra- 
tively resides in user site 105a, transmits the substitute 

^ kienlifiers to central proxy system 110a. Central proxy '., 
system 11 Oa then retransmits the substitute kJentifiers - 
to server site llOg and thereafter communicates (e.p.V . 
transmits, receives, etc.) infonmation (e.g., browsing 
commands, data, etc.) between user site 105a to server 

^ site llOg. This second configuration is particularly ad- 
vantageous when users may not trust central proxy sys- 
tem 1 1 0a or the communication lines therebetween, and 
want to keep user identifications and other secret infor- 
mation secure. 

so A local proxy system 510 may be used to maintain 
the same, and may use the user's identificatbn and oth- 
er information to compute the substitute identifiers. Lo- 
cal proxy system 5 1 0 communicates with a central proxy 
system 110a, which may be used to forward communi- 

55 cation to servers and handle e-mail. In one embodiment, * ! 
central proxy system 110a communicates with compu- 
ter-executable local routines associated with the users, 
the local routines constructing the site-specific substi-' 
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tuie ideniifiers from data specific to the users. Again, 
central proxy system 1 lOa may rely on distributed rou- 
tines, local to each user, that generate the substitute 
ideniifiers and transmit the same to central proxy system 
110a. 

Turning now to FIGURE 6, illustrated is a block di- 
agram of an exemplary sub-network (generally desig- 
nated 600) of the distributed network 1 00 including each 
of user site 105a. central proxy system 110a and a plu- 
rality of illustrative server sites 110b. 110c, and llOg ac- 
cording to an exemplary marker proxy embodiment of 
the present invention. As described above, the central 
proxy system of the present invention may be employed 
in at least two configurations, namely, a central proxy 
configuration (FIGURE 2) or a peripheral proxy config- 
uration (FIGURE 5). 

In the central proxy configuration, central proxy sys- 
tem 110a computes substitute identiriers. An implemen- 
tation of this configuration may require user site 105a to 
provide one or more user definable character strings (a 
p., user identification, password and other secret infor- 
mation) once, and central proxy system 110a will there- 
after generate the substitute ideniifiers as needed. Cen- 
tral proxy system 110a may associate the user definable 
character strings with a series of HTTP requests gener- 
ated by the same user site 1 05a - the central proxy sys- 
tem 110a may associate each request with a session, 
that contains all communication between a specific user 
site 105a and the central proxy system 110a. 

The HTTP protocol however does not generally di- 
rectly support sessions or relationships between re- 
quests. Wore partculariy. each HTTP request may be 
sent a new socket connection, and there is no required 
HTTP header field that can link successive requests 
from the same user. 

It should be noted that the session identification is 
typically not necessary in the peripheral proxy configu- 
ration since central proxy system nOa may forward 
communications without any computation. In a typical 
embodiment, peripheral proxy system 120 retransmits 
browsing commands received from user site 105a to 
central proxy system tlOa, which then retransmits such 
commands to server site 110g. According to one em- 
bodiment, peripheral proxy system 120 removes and, 
possibly, substitutes portions of the browsing com- 
mands that would identify user site 105a to server site 
nOg. 

In one advantageous embodiment user site 105a 
runs a marker program 605 locally Marker program 605 
operates to tag user site 105a's requests with a session 
tag. t. Central proxy system 110a uses this tag to identify 
requests belonging to a particular one of a group of us- 
ers. Marker program 605 may be implemented to store 
user site 105a's session tag and add this tag to all re- 
quests, and central proxy system 110a removes the ses- 
sion tag before forwarding the request to some server 
site. The session tag should be unique, as no two users 
should have the same tag. 



It should be r 

" which are a me^°^®*^ ^^^^ NETSCAPE® uses "cookies, 
term session infc^^a^^'sm ^or storing and retrieving long 
lually is known) (^^® ^^e of "cookies* concep- 
s browsed sen/ers- "^^ cookies are generated by the 
main name. Brov^^ associated with a specific de- 
ed with a specifit^®''^ S"^"^*^ cookies associat- 
visits that domair clomain name whenever the user re- 
ies associated v!^ Servers typically only generate cook- 
10 easy mechanisn/'^^ domain. Cookies provide an 
the contents of a' *^^^P session information, such as 
word, event cour "shopping cart." account name. pass- 
Some compf"^®^®' ^^^^ preferences, etc. 
users and their 1^"'®^. use cookies extensively to track 
75 present inventic^^^'*®- Since the proxy systems of the 
browsed servers'" present substitute kientifiers to 
identities. Thus a"' servers cannot learn true user 
store in its cookif'' information that the server may 
not to the true ''elates to some "alias persona," an6 
20 same server, it w^®*^* Whenever the user returns to the 
ers, and may aisc'" P'^esent the same substitute identifi- 
erated earlier for^ submit the cookie that the sen/er gen- 
It is apparent ^^'^ ^''^s persona, 
provides, for use ^^^^ present invention 

25 server sites, whe ^ network having user sites and 
ing browsed by l*"®'" server sites are capable of be- 
ceived into the f^® *^ser sites based on identifiers re- 
sites, both a cen*®^®"^ sites and personal to the user 
providing consist'''^' ^ peripheral proxy system for 
30 sites that allow th°"^ substitute identifiers to the server 
in an anonymou'® ^^^^ browse the sen/er sites 

system. ^ personal fashion via the proxy 

An exemplar 

executable first rcV central proxy system includes: (1) an 

^ stitute identifiers ^^^^ processes site-specific sub- 
user sites, (2) an constructed from data specific to the 
mits the substitu executable second routine that trans- 
thereafter retran'^® identifiers to the server sites and 
from the user site®"^'^^ browsing commands receiyed 

40 able third routing® the server sites and (3) an execy^^^ . 
tutes) portions o^ ^^^^ removes (and possibly syl^ti^ 
identify the user / ^® browsing comnTands IhafwSjia;^ 
An exemplar^*^^^ ^^^^^ ' '-^S^rf 

an executable fi,y peripheral proxy system includes: (1) 

45 substitute identifi'^^ routine that constructs a particular 
user site and (2®^ 'rorri data received from a particular 
transmits the par) ^n executable second routine that 
proxy system, thc'^'^ular substitute identifier to a central 
ting the partcula' central proxy system then retransrnit- 

50 and thereafter ri substitute identifier to the sen/er site 
ceived from the ^^transmitting browsing commands re- 
Although the^'^'c^'^'' i^ser site to the server arta' - 
in detail, those si P^'esent invention has been described 
they can make vc^"®*^ should understand tfiat 

5S ations herein wit"''^"® changes, substitution sand after- 
invention in itsbrc^®^^ departing from the scope of the 
be apparent to th^^*^est form. More particularly, it should', 
above-described'^®® skilled in the pertinent art that the 
routines are software-based and exis- - 
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cuiable by a suitable conventional computer system/ 
network. Alternate embodiments of the present inven- 
tion may also be suitably implemented, at least in part, 
in firmware or hardware, or some suitable combination 
of at least two of the three. Such firmware-or hardware 
embodiments may include multi, parallel and distributed 
processing environments or configurations, as well as 
alternate programmable logic devices, such as pro- 
grammable array logic ('PALs') and programmable log- 
ic arrays CPLAs*), digital signal processors ('DSPs'), 
field programmable gate arrays ('FPGAs'). application 
specific integrated circuits ('ASICs'), large scale inte- 
grated circuits ('LSIs'). very large scale integrated cir- 
cuits ('VLSIs') or the like to form the various types of 
modules, circuitry, controllers, routines and systems de- 
scribed and claimed herein. 

Conventional computer system architecture is more 
fully discussed in The Indispensable PC Hardware 
Book, by Hans-Peter Messmer, Addison Wesley (2nd 
ed. 1995) and Computer Organization and Architecture, 
by William Stallings. l^cMillan Publishing Co. (3rd ed. 
1 993); conventional computer, or communications, net- 
work design is more fully discussed in Data Network De- 
sign, by Darren L. Spohn, McGraw-Hill. Inc. (1993); and 
conventional data communications is nnore fully dis- 
cussed in Voice and Data Communicathns Handbook, 
by Bud Bates and Donald Gregory. McGraw-Hill. Inc. 
(1 996). Dara Communications Principles, by R. D. Gitfin, 
J. F. Hayes and S. B. Weinstein. Plenum Press (1992) 
and The Irwin Handbook of Telecommunications, by 
James Harry Green, Irwin Professional Publishing (2nd 
ed. 1992). 



Claims 

1 . A central proxy system for coupling to a network and 
for allowing users to browse server sites on said 
network anonymously via said central proxy sys- 
tem, said central proxy system comprising: 

a computer-executable first routine that proc- 
esses site-specific substitute identifiers con- 
structed from data specific to said users; 
a computer-executable second routine that 
transmits said substitute identifiers to said serv- 
er sites and thereafter retransmits browsing 
commands received from said users to said 
server sites; and 

a computer-executable third routine that re- 
moves portions of said browsing commands 
that would identify said users to said sen/er 
sites. 

2. The central proxy system as recited in Claim 1 
wherein said data comprises identification data and 
a user definable character string supplied by saki 
users. 



3. The central proxy system as recited in Claim 1 
wherein said site-specific substitute identifiers com- 
prise site-specific substitute user names and site- 
specific substitute user passwords. 

5 

4. The central proxy system as recited in Claim 1 
wherein said first routine constructs site-specific 
substitute electronic mail addresses for said users 
from said data. 

w 

5. The central proxy system as recited in Claim 1 
wherein said first routine constructs said site-spe- 
cific substitute identifiers from addresses of said 
server sites. 

75 

6. The central proxy system as recited, in Claim 1 
wherein said server sites are World Wide Web sites 
capable of presenting web pages to said users, saki 
second routine transmitting said substitute identifi- 

20 erstosaid server sites under direction of said users. 

7. The central proxy system as recited in Claim 1 
wherein said second routine transmits said substi- 
tute identifiers to saki server sites based on alpha- 

2S numeric codes supplied in web page fields by said 
users. 

8. The central proxy system as recited in Claim 7 
wherein said alphanumeric codes are arranged in 

30 escape sequences. 

9. The central proxy system as recited in Claim 7 
wherein said users manually place said alphanu- 
meric codes in saki web page fields. 

3S 

10. The central proxy system as recited in Claim 9 
wherein said central proxy system communicates 
with computer-executable local routines associated 
with said users, said local routines constructing saki 
site-specific substitute klentifiers from data specific 
to said users. - • ■ ^.•,':;:;:r 

11. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 

^ electronic mail destined for said users. 

12. The central proxy system as recited in Claim 1 
wherein said first routine processes substitute iden- 
tifiers constructed by applying pseudo-random and 

so hash functions to said data received from said us- 
ers. 

13. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 

55 electronic mailboxes for said users and specific to 
said server sites. 

14. The central proxy system as recited in Claim 13 
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wherein each of said electronic mailboxes has a key 
associated therewith, said key being a function of 
said data and an index number. 

15. The central proxy system as recited in Claim 1 fur- 
ther comprising a computer-executable routine 
that, given said substitute identifiers, collects elec- 
tronic mail destined for safd users and contained 
within a plurality of site-specific electronic mailbox- 
es. 

16. The central proxy system as recited in Claim 1 
wherein said first routine receives session tags add- 
ed to said browsing commands, said central proxy 
system employing said session tags to associate 
said substitute identifiers with each of said browsing 
commands. 

17. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
session information specific to said users and ac- 
cessible by said server sites. 

18. The central proxy system as recited in Claim 1 fur- 
ther comprising a data store capable of containing 
electronic payment information, said users employ- 
ing said electronic payment information to engage 
in anonymous commerce with said server sites. 

19. The central proxy system as recited in Claim 1 fur- 
ther comprising an initializing routine that con- 
staicts said site-specific substitute identifiers from 
data specific to said users and communicates said 
site-specific substitute identifiers to said first rou- 
tine. 

20. A peripheral proxy system for coupling to a network 
and for allowing at least one user to browse a server 
site on said network anonymously via a central 
proxy system, said peripheral proxy system com- 
prising; 

a computer-executable first routine that con- 
structs a particular substitute Identifier from da- 
ta received from a particular user; and 
a computer-executable second routine that 
transmits said particular substitute identifier to 
said central proxy system, said centra! proxy 
system retransmitting said particular substitute 
identifier to said server site and thereafter re- 
transmitting browsing commands received 
from sakj particular user to said sewer site. 



22. The peripheral proxy system as recited in Claim 20 
wherein said particular substitute Identifier compris- 
es a particular substitute user name and a particular 
substitute user password. 

5 

23. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs a particular 
substitute electronic mail address for said particular 
user from said data. 

10 

24. The peripheral proxy system as recited in Claim 20 
wherein said first routine constructs said particular 
substitute identifier from an address of said sen/er 
site, said particular substitute Identifier therefore 

?5 being specific to said server site. 

25. The peripheral proxy system as recited in Claim 20 
wherein said server site is a World Wide Web site 
capable of presenting at least one web page to said 

20 users, said central proxy system transmitting said 
particular substitute identifier to said server site un- 
der direction of said particular user. 

26. The peripheral proxy system as recited in Claim 20 
25 wherein said central proxy system said particular 

substitute identifier to said server site based on al- 
phanumeric codes supplied in web page fields by 
said user 

30 27. The peripheral proxy system as recited in Claim 26 
wherein said alphanumeric codes are arranged in 
escape sequences. 

28. The peripheral proxy system as recited in Claim 20 
3S wherein said central proxy system further compris- 
es a computer-executable third routine that re- 
moves portkxis of sakJ browsing convnands that 
would identity said particular user to said server 
site. 

29. The peripheral proxy system as recited in Claim^28 •= 
wherein said first and second routines are' execut;"^^ 
able on a computer system associated with s'aid 
particular user and said central proxy system is a 
computer system having a network address differ- 
ent from said computer system associated with said 
particular user. 

30. The peripheral proxy system as recited in Clairri 20 
so wherein said central proxy system further compris- 
es a data store capable of containing electronic mail 
destined for said particular user. 



26. 

25 



21. The peripheral proxy system as recited in Claim 20 31. The peripheral proxy system as recited in Claim 20 
wherein said data comprises identification data and ss wherein said first routine constructs said particular .■ 
a user definable character string supplied by said substitute identifier by applying pseudo-random" 

partcular user, and hash functkxis to said data received from said . 

particular user. ; 
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32. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable ot containing an electronic 
mailbox for said particular user and specific to said 
server site. 

33. The peripheral proxy system as recited in Claim 32 
wherein said electronic mailbox has a Key associ- 
ated therewith, said key being a function of said da- 
ta and an index number. 

34. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a computer-executable routine that, given said 
particular substitute identifier, collects electronic 
mail destined for said particular user and contained 
within at least two electronic mailboxes. 

35. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a computer-executable marker routine that adds 
session tags to said browsing commands, said 
proxy system employing said session tags to asso- 
ciate said particular substitute identifier with each 
of said browsing comnnands. 

36. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing session infor- 
mation specific to said particular user and accessi- 
ble by said server site. 

37. The peripheral proxy system as recited in Claim 20 
wherein said central proxy system further compris- 
es a data store capable of containing electronic pay- 
ment information, said particular user employing 
said electronic payment information to engage in 
anonymous commerce with said server site. 

38. A method for use with a network having a server 
site capable of being browsed by users and for al- 
lowing said users to browse said server site on said 
network anonymously via said proxy system, said 
method comprising the steps of: 

constructing a particular substitute identifier 
from data received from a part'cular user; 
transmitting said particular substitute identifier 
to said sen/er site; and 

thereafter retransmitting browsing commands 
received from said particular user to said server 
site. 

39. The method as recited in Claim 38 wherein said da- 
ta comprises identification data and a user defina- 
ble character string supplied by said particular user 

40. The method as recited in Claim 38 wherein said par- 



I ticular substitute ideniifier comprises a particular 

substitute user name and a particular substitute us- 
er password. 

s 41, The method as recited in Claim 38 further compris- 
ing the step of constructing a particular substitute 
electronic mail address for said particular user from 
said data. 

'0 42. The method as recited in Claim 38 wherein said 
step of constructing comprises the step of con- 
structing said particular substitute identifier from an 
address of said server site, saki particular substitute 
kientifier therefore being specific to said server site. 

IS 

43. The method as recited in Claim 38 wherein sati 
server site is a World Wide Web site capable of pre- 
senting at least one web page to saki users, sakl 
method further comprising the step of transmitting 

20 said panicular substitute identifier to said server site 
under direction of said particular user. 

44. The method as recited in Claim 38 wherein sakj 
step of transmrtting comprises the step of transmit- 

25 ting said particular substitute identifier to said server 
site based on alphanumeric codes supplied in web 
page fields by said user 

45. The method as recited in Claim 44 wherein saki al- 
30 phanumeric codes are arranged in escape se- 
quences. 

46. The method as recited in Claim 38 further compris- 
ing the step of removing portions of said browsing 

35 commands that would identify said particular user 
to said server site. 

47. The method as recrted in Claim 46 wherein saki 
step of constructing is performed on a computer 

^ system associated with said particular user, and . 
said steps of transmitting and thereafter transmit- 
ting are pertonmed on a computer system having a 
network address different from saki computer sys- 
tem associated with said particular user 

45 

48. The method as recited in Claim 38 further compris- 
ing the step of storing electronic mail destined for 
said particular user 

50 49. The method as recited in Claim 38 wherein sakj 
step of constructing comprises the step of applying 
pseudo-random and hash functions to said data re- 
ceived from said particular user 

55 SO. The method as recited in Claim 38 further compris- 
ing the step of creating an electronc mailbox for 
said partkrular user and specific to said server site. 
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51. The method as recited in Claim 50 wherein said 
electronic mailbox has a key associated therewith, 
said key being a f unctran o( said data and an index 
number. 

5 

52. The method as recited in Claim 38 further compris- 
ing the step of collecting electronic mail destined for 
said particular user and contained within at least 
two electronic mailboxes given said particular sub- 
stitute identifier. io 

53. The method as recited in Claim 38 further compris- 
ing the step of adding session tags to said browsing 
commands, said proxy system employing said ses- 
sion tags to associate said particular substitute ?5 
identifier with each of said browsing commands. 

54. The method as recited in Claim 38 further compris- 
ing the step of storing session information specific 

to said particular user and accessible by said server 20 
site. 

55. The method as recited in Claim 38 further compris- 
ing the step of storing electronic payment informa- 
tion, said particular user employing said electronic 2S 
payment information to engage in anonymous com- 
merce with said server site. 
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Welcome to Janus! 



Janus is a system for pcisonalizcd anonymou3 Web access. 

Janus generates consistent untraceable aliases for you from the 
informabon you pnnddc in this page Janus neither stores this 
mionnation nor passes it to any server Consequentially, Janus does 
not authenticate you. You nnist prwidc the same infonnation in future 
sessions to generate the same aliases. 

You will sec this form onfy once at the beginning of the session. You 
caiinot diange the input to Janus during the rest of your session, 
unless Janus detects that it fails to authenticate you. 

pie p.air <user na-iie, alias-secd> should fac unique among ail Janus users. You can use your 
b-mail address as your name to reduce chance of collision with other users. Janus wSl not pass 
your name to any sen'er. Maximal size for user name and seeds is 1 900 characten each. 

Enter your user n ime (use your E-mail address): 



Enter your secret must contain at least 8 characters): 



Verily your secret by typing it again: 
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IsubmitI B 



Click hca for more information about Janus. 
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The New York Tribune 



Registration 

Welcome to The New York Tribune on the Web. If vou re visidng us 
for the first tmc. please register nor by filling out the fom betew. 
incrc is cunentlv no char je for U.S. ncsidents to subscribe to our 
site, but are requiring rtgistiation, which is a cac-timc only 
process. ^ 

If you have already registered, continue to the home pa g^. If 
you ve regstcred, but arc having problems entcnn? the site, 
consult our help section. 

Choca a Sttbtcriber ID for The Hew York Whrnc on the 
Web: 



<Daaa> 



Ctooteapaaswort 



« t t r t t t 



MLmimum five characters 



Uunimum fivccharacten 



Re-qter password for confirmatioa; 



Enter fonr e-mail addrets: 
[I<oooo> 



Help 



fan 
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